Three security researchers claimed Sunday that they have found the first exploitable vulnerability in Apple's iPhone, a flaw that allows them to steal any data from the device or even to turn it into a remote surveillance tool.
The trio -- Charles Miller, formerly with the National Security Agency; Jake Honoroff; and Joshua Mason of Baltimore-based Independent Security Evaluators (ISE) -- have notified Apple of the vulnerability and given the company less than two weeks to fix the bug before Miller presents more information at the Black Hat conference on Aug. 2.
According to a paper posted by the three, they rooted out a vulnerability in the iPhone's version of Safari using "fuzzing" tools and wrote a proof-of-concept exploit that can be delivered from a malicious Web site or using "man in the middle" tactics to trick users into connecting to a malicious wireless access point.
Once the exploit runs, it's essentially game over, the researchers said: The iPhone is owned. "In our proof of concept, this code reads the log of SMS messages, the address book, the call history and the voicemail data," the researchers wrote on the ISE site. "It then transmits all this information to the attacker."
But wait -- there's more!
That, however, could be just the beginning.
The researchers claimed that a second exploit actually operated the iPhone remotely once the device was hijacked. "When we viewed a second HTML page in our iPhone, it ran the second exploit payload which forced [the iPhone] to make a system sound and vibrate for a second," they said in the paper. "Alternately, by using other API functions we discovered, the exploit could have dialed phone numbers, sent text messages, or recorded audio (as a bugging device) and transmitted it over the network for later collection by a malicious party."
The vulnerability was reported to Apple last Tuesday, July 17. "We proposed a fix they could include in a future iPhone update," the researchers said, "but we don't know if they plan to do so. They responded and are looking into it."
In an e-mail late Sunday night, Apple spokeswoman Lynn Fox would only say: "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We're looking into the report submitted by I.S.E. and always welcome feedback on how to improve our security." She declined to answer questions about the Aug. 2 deadline, whether Apple would issue a patch before then, or what the company thought of the way the trio disclosed the vulnerability.
Miller will provide more information on the vulnerability and exploit at the upcoming Black Hat 2007 security conference, which opens next Saturday, July 28, in Las Vegas.
But is this the ethical way?
ISE's president, Avi Rubin, defended the decision to announce the existence of the vulnerability prior to a patch being made available by Apple. "Why are we doing that? Well, I believe that there is a social responsibility to report it when a device is vulnerable to attackers," said Rubin on his own blog Sunday. "People buy these things and use them in ways that put their identity and their online accounts at risk, and by exposing these vulnerabilities, we can make users better judges of how to use their high-tech devices." Rubin is familiar to many security observers from his research into problems with electronic voting systems.
The paper by Miller, Honoroff and Mason also spelled out a number of weaknesses in the iPhone's security architecture, although it didn't specifically pin the vulnerability on any of those flaws. One, however, most likely contributed to the reach of the exploit.
"There are serious problems with the design and implementation of security on the iPhone," the paper said. "The most glaring is that all processes of interest run with administrative privileges. This implies that a compromise of any application gives an attacker full access to the device."
Other deficiencies the trio cited in the iPhone's operating system included not using address randomization -- a technique applied by Windows Vista that's designed to make it tougher for hackers to write reliable attack code -- and allowing code in the heap to execute.
Those last two shortcomings have been criticized in the desktop version of Mac OS X for some time. Three months ago, during the fallout after a hacking contest that jacked a MacBook Pro notebook, HD Moore -- the vulnerability researcher noted for the Metasploit hacking and attack testing software -- took on the claim that Mac OS X is safer than Windows. "The Mac OS X platform is years behind Linux, Windows, and OpenBSD in terms of operating-system security," said Moore then. "All of the above platforms support some form of address randomization (ASLR) and include features that make exploitation slightly more difficult."
The ISE researchers have also posted a short video of their hack in action on YouTube.